Weekly report on viruses and intruders

This week's report will focus on Netsky.AG, Darby.gen, JPGTrojan.D, Funner.A and Nemsi.A.

Netsky.AG -which has been created by modifying the executable file of Netsky.B- sends itself out via email to all the addresses it finds in files with certain extensions, using its own SMTP engine. In order to deceive users, Netsky.AG spoofs the address of the sender of the message using one of the addresses it obtains from the files on the affected computer. This worm can also spread through P2P (peer-to-peer) file sharing programs.

When it is run, Netsky.AG shows an error message on screen and tries to copy itself to all the drives on the computer, except to the CD-ROM drives. This variant of Netsky also deletes the Registry entries created by other worms, including Mydoom.A and Mimail.T.

Darby.gen is a generic detection for future variants of the Darby family of worms. This group of worms spreads via email and P2P file sharing programs. They also end the processes belonging to antivirus programs and other security applications, such as firewalls and system monitoring tools, leaving computers vulnerable to attack from other malware.

The third worm in today's report is JPGTrojan.D, a program that allows JPG images to be created, which exploits the Buffer Overrun in JPEG processing vulnerability (described in the Microsoft bulletin MS04-028).

The effects of opening an image created by JPGTrojan.D include specifying that a port must be opened, allowing remote access to the affected computer, and downloading an executable file from the Internet and running it on the affected computer.

Funner.A is a worm that spreads through MSN Messenger and modifies the HOSTS file, preventing the user from accessing certain websites. What's more, in Windows Me/98/95 computers, it changes the SYSTEM.INI file, to ensure that it is run whenever the computer starts up, and overwrites the RUNDLL32.EXE file and replaces it with a copy of itself.

We are going to finish today's report with Nemsi.A, a virus that does not spread automatically using its own means. It reaches computers when previously infected files are distributed, which can enter computers through any of the usual means of transmission (floppy disks, CD-ROMs, email messages with infected attachment, IRC channels, etc.).

Nemsi.A infects EXE files by inserting its code at the beginning of them (prepending). After it has infected a computer, this virus changes the icon of the infected EXE files. If it is run on September 13, it causes a general protection fault (blue screen) in Windows.

For further information about these and other computer threats, visit Panda Software's Virus Encyclopedia.

Additional information- Prepending: This is a technique used by viruses for infecting files by adding their code to the beginning of the file. By doing this, these viruses ensure that they are activated when an infected file is used.

Other Resources

IT Reseller

Established since 1997, IT Reseller is the industry-leading journal for the channel, dedicated to providing cutting-edge news and advice on a wide variety of vertical technology sectors. The editorial comprises exclusive reports on technological and market trends, together with contributions by leading solutions vendors and research analysts; helping resellers, VARs, systems integrators and distributors to secure a competitive edge by running their business more efficiently and more profitably. Regular technology themes include: Automatic Data Capture, RFID, Convergence Technology/Comms, Cloud Computing, Printing & Labelling, Document Management, Networking and UPS.